From: Philippe Antoine <pantoine@oisf.net>
Date: Tue, 28 Apr 2026 08:19:14 +0000 (+0200)
Subject: dcerpc: move dcepayload unit tests to SV
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;ds=inline;p=thirdparty%2Fsuricata-verify.git

dcerpc: move dcepayload unit tests to SV

Ticket: 8391
---

diff --git a/tests/dcerpc/dcerpc-dcepayload-15/input.pcap b/tests/dcerpc/dcerpc-dcepayload-15/input.pcap
new file mode 100644
index 00000000..93cc9860
Binary files /dev/null and b/tests/dcerpc/dcerpc-dcepayload-15/input.pcap differ
diff --git a/tests/dcerpc/dcerpc-dcepayload-15/test.rules b/tests/dcerpc/dcerpc-dcepayload-15/test.rules
new file mode 100644
index 00000000..6ca60199
--- /dev/null
+++ b/tests/dcerpc/dcerpc-dcepayload-15/test.rules
@@ -0,0 +1,2 @@
+alert tcp any any -> any any (msg:"DcePayloadTest15 sig1"; dce_stub_data; content:"|5c 00 5c 00 31|"; distance:0; byte_test:2,=,14080,0,relative,dce; sid:1;)
+alert tcp any any -> any any (msg:"DcePayloadTest15 sig2"; dce_stub_data; content:"|5c 00 5c 00 31|"; distance:0; byte_test:2,=,46,5,relative,dce; sid:2;)
diff --git a/tests/dcerpc/dcerpc-dcepayload-15/test.yaml b/tests/dcerpc/dcerpc-dcepayload-15/test.yaml
new file mode 100644
index 00000000..1b2592ad
--- /dev/null
+++ b/tests/dcerpc/dcerpc-dcepayload-15/test.yaml
@@ -0,0 +1,16 @@
+args:
+- -k none --set stream.inline=true
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+      pcap_cnt: 4
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+      pcap_cnt: 4
diff --git a/tests/dcerpc/dcerpc-dcepayload-16/input.pcap b/tests/dcerpc/dcerpc-dcepayload-16/input.pcap
new file mode 100644
index 00000000..28180067
Binary files /dev/null and b/tests/dcerpc/dcerpc-dcepayload-16/input.pcap differ
diff --git a/tests/dcerpc/dcerpc-dcepayload-16/test.rules b/tests/dcerpc/dcerpc-dcepayload-16/test.rules
new file mode 100644
index 00000000..ec7f4e1d
--- /dev/null
+++ b/tests/dcerpc/dcerpc-dcepayload-16/test.rules
@@ -0,0 +1,2 @@
+alert tcp any any -> any any (msg:"DcePayloadTest16 sig1"; dce_stub_data; content:"|5c 00 5c 00 31|"; distance:0; byte_test:2,=,55,0,relative; sid:1;)
+alert tcp any any -> any any (msg:"DcePayloadTest16 sig2"; dce_stub_data; content:"|5c 00 5c 00 31|"; distance:0; byte_test:2,=,11776,5,relative; sid:2;)
diff --git a/tests/dcerpc/dcerpc-dcepayload-16/test.yaml b/tests/dcerpc/dcerpc-dcepayload-16/test.yaml
new file mode 100644
index 00000000..1b2592ad
--- /dev/null
+++ b/tests/dcerpc/dcerpc-dcepayload-16/test.yaml
@@ -0,0 +1,16 @@
+args:
+- -k none --set stream.inline=true
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+      pcap_cnt: 4
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+      pcap_cnt: 4
diff --git a/tests/dcerpc/dcerpc-dcepayload-17/input.pcap b/tests/dcerpc/dcerpc-dcepayload-17/input.pcap
new file mode 100644
index 00000000..bb89de9b
Binary files /dev/null and b/tests/dcerpc/dcerpc-dcepayload-17/input.pcap differ
diff --git a/tests/dcerpc/dcerpc-dcepayload-17/test.rules b/tests/dcerpc/dcerpc-dcepayload-17/test.rules
new file mode 100644
index 00000000..cb555261
--- /dev/null
+++ b/tests/dcerpc/dcerpc-dcepayload-17/test.rules
@@ -0,0 +1,2 @@
+alert tcp any any -> any any (msg:"DcePayloadTest17 sig1"; dce_stub_data; content:"|5c 00 5c 00 31|"; distance:0; byte_test:2,=,55,0,relative,big; sid:1;)
+alert tcp any any -> any any (msg:"DcePayloadTest17 sig2"; dce_stub_data; content:"|5c 00 5c 00 31|"; distance:0; byte_test:2,=,46,5,relative,little; sid:2;)
diff --git a/tests/dcerpc/dcerpc-dcepayload-17/test.yaml b/tests/dcerpc/dcerpc-dcepayload-17/test.yaml
new file mode 100644
index 00000000..1b2592ad
--- /dev/null
+++ b/tests/dcerpc/dcerpc-dcepayload-17/test.yaml
@@ -0,0 +1,16 @@
+args:
+- -k none --set stream.inline=true
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+      pcap_cnt: 4
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+      pcap_cnt: 4
diff --git a/tests/dcerpc/dcerpc-dcepayload-18/input.pcap b/tests/dcerpc/dcerpc-dcepayload-18/input.pcap
new file mode 100644
index 00000000..38f14938
Binary files /dev/null and b/tests/dcerpc/dcerpc-dcepayload-18/input.pcap differ
diff --git a/tests/dcerpc/dcerpc-dcepayload-18/test.rules b/tests/dcerpc/dcerpc-dcepayload-18/test.rules
new file mode 100644
index 00000000..98ba33c3
--- /dev/null
+++ b/tests/dcerpc/dcerpc-dcepayload-18/test.rules
@@ -0,0 +1,2 @@
+alert tcp any any -> any any (msg:"DcePayloadTest18 sig1"; dce_stub_data; content:"|5c 00 5c 00 31|"; distance:0; byte_jump:2,0,relative,dce; byte_test:2,=,46,0,relative,dce; sid:1;)
+alert tcp any any -> any any (msg:"DcePayloadTest18 sig2"; dce_stub_data; content:"|5c 00 5c 00 31|"; distance:0; byte_jump:2,2,relative,dce; byte_test:2,=,14080,0,relative; sid:2;)
diff --git a/tests/dcerpc/dcerpc-dcepayload-18/test.yaml b/tests/dcerpc/dcerpc-dcepayload-18/test.yaml
new file mode 100644
index 00000000..1b2592ad
--- /dev/null
+++ b/tests/dcerpc/dcerpc-dcepayload-18/test.yaml
@@ -0,0 +1,16 @@
+args:
+- -k none --set stream.inline=true
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+      pcap_cnt: 4
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+      pcap_cnt: 4
diff --git a/tests/dcerpc/dcerpc-dcepayload-19/input.pcap b/tests/dcerpc/dcerpc-dcepayload-19/input.pcap
new file mode 100644
index 00000000..031a7337
Binary files /dev/null and b/tests/dcerpc/dcerpc-dcepayload-19/input.pcap differ
diff --git a/tests/dcerpc/dcerpc-dcepayload-19/test.rules b/tests/dcerpc/dcerpc-dcepayload-19/test.rules
new file mode 100644
index 00000000..c1aba2a9
--- /dev/null
+++ b/tests/dcerpc/dcerpc-dcepayload-19/test.rules
@@ -0,0 +1,2 @@
+alert tcp any any -> any any (msg:"DcePayloadTest19 sig1"; dce_stub_data; content:"|5c 00 5c 00 31|"; distance:0; byte_jump:2,0,relative; byte_test:2,=,46,0,relative,dce; sid:1;)
+alert tcp any any -> any any (msg:"DcePayloadTest19 sig2"; dce_stub_data; content:"|5c 00 5c 00 31|"; distance:0; byte_jump:2,2,relative; byte_test:2,=,14080,0,relative; sid:2;)
diff --git a/tests/dcerpc/dcerpc-dcepayload-19/test.yaml b/tests/dcerpc/dcerpc-dcepayload-19/test.yaml
new file mode 100644
index 00000000..1b2592ad
--- /dev/null
+++ b/tests/dcerpc/dcerpc-dcepayload-19/test.yaml
@@ -0,0 +1,16 @@
+args:
+- -k none --set stream.inline=true
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+      pcap_cnt: 4
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+      pcap_cnt: 4
diff --git a/tests/dcerpc/dcerpc-dcepayload-20/input.pcap b/tests/dcerpc/dcerpc-dcepayload-20/input.pcap
new file mode 100644
index 00000000..b8c8d7f3
Binary files /dev/null and b/tests/dcerpc/dcerpc-dcepayload-20/input.pcap differ
diff --git a/tests/dcerpc/dcerpc-dcepayload-20/test.rules b/tests/dcerpc/dcerpc-dcepayload-20/test.rules
new file mode 100644
index 00000000..e918b884
--- /dev/null
+++ b/tests/dcerpc/dcerpc-dcepayload-20/test.rules
@@ -0,0 +1,2 @@
+alert tcp any any -> any any (msg:"DcePayloadTest20 sig1"; dce_stub_data; content:"|5c 00 5c 00 31|"; distance:0; byte_jump:2,0,relative,big; byte_test:2,=,46,0,relative,dce; sid:1;)
+alert tcp any any -> any any (msg:"DcePayloadTest20 sig2"; dce_stub_data; content:"|5c 00 5c 00 31|"; distance:0; byte_jump:2,2,little,relative; byte_test:2,=,14080,0,relative; sid:2;)
diff --git a/tests/dcerpc/dcerpc-dcepayload-20/test.yaml b/tests/dcerpc/dcerpc-dcepayload-20/test.yaml
new file mode 100644
index 00000000..1b2592ad
--- /dev/null
+++ b/tests/dcerpc/dcerpc-dcepayload-20/test.yaml
@@ -0,0 +1,16 @@
+args:
+- -k none --set stream.inline=true
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+      pcap_cnt: 4
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+      pcap_cnt: 4